Unlike GDPR and SOC 2, organizations will face no penalties for noncompliance with the NIST CSF: It’s purely voluntary. Nevertheless, it serves as a singular guideline that CISOs can look to in a world of fragmented cybersecurity regulations.

The framework was first developed in 2014, after President Obama recognized the growing risk to critical infrastructure. His Cybersecurity Enhancement Act (CEA) of that year called to expand the role of NIST to create a voluntary framework in order to identify “a prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cyber threats. A 2017 executive order by President Trump took the framework a step further by making it federal government policy.

After years of gathering feedback, version 1.1 of the framework was released in 2018 to provide “a more comprehensive treatment of identity management,” as well as additional information on managing supply chain cybersecurity. As a living document, the NIST CSF will continue to evolve as the industry provides feedback on implementation.

As the standard developed by the United States for managing cybersecurity risk, organizations would do well to take heed. As with any standard, choosing to comply with the NIST CSF demonstrates to your clients that you’re serious about security, while improving your overall security posture and lessening the risk of a data breach and the resulting financial losses, client churn, and reputational loss that go along with it.

A Definition of AWS PCI Compliance, Benefits, Requirements, and More

If your organization processes credit or debit card payments, PCI compliance is essential. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Standards. In this post, I’m going to walk you through what you need to know about AWS PCI compliance to ensure compliance in the cloud. Read more “What is AWS PCI Compliance?”

How Multinational Companies May be Affected by Their Subsidiaries’ Noncompliance

Introduction

Preparing for GDPR was similar to preparing for Y2K — heads down grinding with anxiety running high, only to find that May 25th came and went without a peep. So what was all that hard work and worry for, anyway? What drove all the privacy emails and data inventorying within companies? In all honesty, it was most likely driven by the high consequences that a company might suffer as a result of noncompliance. But just because your company is now “GDPR ready,” does that mean you’re safe from heavy fines?

Not necessarily. The noncompliance of other companies just might make you vulnerable.

The deadline for theGeneral Data Protection Regulation (GDPR)is fast approaching, with May 25 marking the official day of reckoning. The updates to the data protection directive of 1995 (Directive 95/46/EC) are designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights, and to reshape the way organizations across the EU approach data privacy.

There’s a likelihood that Compliance has approached your DevOps team to get on board. But when Compliance talks, what do you hear? Are you truly understanding what’s required of you to become GDPR compliant? Let’s take a look at some of the possible gaps in knowledge below.Read more “GDPR: What Compliance Says vs. What DevOps Hears”

Recently, I had a great conversation with Sam Smith, the Chief Architect for Sigstr, a fast-growing SaaS platform for email signature marketing. Sigstr’s infrastructure is hosted and managed on AWS and secured by Threat Stack. Every day, Sigstr consumes and processes employee contact information from HRIS systems, customer information from marketing automation platforms, and email behavior data — which makes cloud security and data privacy key concerns for both Sigstr and its customers.

Sam’s team is a great model of how to make security a top business differentiator and sales driver. Since many of Sigstr’s customers are enterprise companies with significant risk concerns, the team has consistently been responsive to questions such as:

The European Union’s General Data Protection Regulation (GDPR) is going into effect in just two months — on May 25, 2018. Yet a recent Forrester report indicates that only about 30% of companies say they’re ready to comply, and at least some of those firms are actually overstating their readiness.

SOC 2 compliance is one of the most common customer use cases we come across at Threat Stack. Developed by the American Institute of CPAs (AICPA), the framework is designed for service providers storing customer data in the cloud, and SaaS companies among others often turn to us as they begin to feel overwhelmed by the requirements.

At Threat Stack, we often talk about visibility. We have promoted visibility from an operations perspective and have given our customers visibility into their environments through our intrusion detection platform. But when it comes to change management, how do we give ourselves the same level of visibility into our internal process changes at Threat Stack? This became a very real question as we decided to roll out our Type 2 SOC 2 program over the last year, and the answer turned out to be sockembot — an automated SOC 2 compliance checking bot that we describe in this blog post.Read more “sockembot: How Threat Stack Added Automation & Visibility to its SOC 2 Change Management Process”

SOC 2, which was developed by the American Institute of CPAs (AICPA), is specifically designed for service providers storing customer data in the cloud, which means that it applies to nearly every SaaS company operating today.

So, what is SOC 2 exactly? While the framework is a technical audit, it goes above and beyond this to require that companies establish and follow strict information security policies and procedures. The criteria for developing these policies and procedures is based on five “trust service principles” to ensure:

Security

Availability

Processing integrity

Confidentiality

Privacy of customer data

Compliance can be evaluated by independent auditors who assess a company’s ability to comply with these five principles.

SOC 2 is one of the more common requirements that SaaS companies must meet, but that doesn’t make compliance any simpler or dealing with an audit any less exacting. In this post we have laid out the most important requirements and the steps you should take to become compliant quickly in order to stay out of trouble with auditors and compete in a crowded SaaS market.Read more “How to Get Your SaaS Company SOC 2 Compliant With Minimal Headaches”

Introduction

The other week, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., wrote an excellent blog post that explores overlaps and differences between GDPR and other frameworks, including ISO/IEC 27000, NIST, and PCI, as well as ways organizations can start to bridge the gaps to achieve alignment with GDPR.

In this post, Frank Kyazze, Senior Associate at Schellman, zeroes in on one of the questions that sit at the heart of the GDPR: “What is the Right to Erasure?” In this highly informative article, Frank explains some of the rights of data holders, responsibilities of data controllers, and best practices for effectively responding to requests for erasure. Read more “GDPR: What is the Right to Erasure?”